China Data Privacy Update – Enhanced Scrutiny of “Bundled Consent”

Did you know?

The Measures for the Supervision and Administration of Online Transactions (网络交易监督管理办法) (“Measures”) released by the PRC State Administration for Market Regulation will come into force on 1 May 2021 and will replace the previous rules implemented in 2014. Among other things, the Measures impose more stringent requirements against the common practice of “bundled consent”. This is in line with the recent legislative and enforcement trends in the area of data privacy in China.

Why does this matter to you?

The Measures indicate that market regulators are increasing their oversight of internet businesses and their practices. Businesses often wish to simplify the process for seeking customers’ consent, such as minimising the number of “clicks” required, before allowing them to use their online services. However, such practices may be regarded as seeking “bundled consent”.

Restrictions against “bundled consent” are not new; for instance, the Personal Information Security Specification (GB/T 35273-2020) and the Guide to the Self-Assessment of Illegal Collection and Use of Personal Information by Apps already regulate consent to collection and processing of different types of personal data, or consent to subscription of multiple business functions. The rationale is that individuals should be given autonomy and flexibility to decide the types of personal data to be provided and how such data will be processed. 

In further tackling the problem, the Measures require that:-

  • online businesses shall not collect and use personal data which is not directly related to their business activities by way of bundled consent. It is, therefore, crucial for online businesses to comply with the principle of necessity in determining the types of personal data to be collected and used for the performance of their business functions;
  • online businesses shall obtain “itemised consent” (逐项取得消费者同意) to collect and use a person’s sensitive personal data, such as biometric characteristics, medical health information, financial accounts and personal location. This seems to be generally in line with the draft PRC Personal Data Protection Law which requires “separate consent” (单独同意) for collection and processing of sensitive personal data. However, we await further clarification as to whether these two types of consent are essentially the same;
  • online businesses shall not send commercial information without consent. When sending commercial information, an online business shall disclose its real identity and contact information and also provide prominent, convenient and free methods to refuse to receive such information. While there are similar requirements in the existing advertising laws and regulations, the more ambiguous wording used in the Measures, actually seem to provide more flexibility to the regulators in enforcement against direct marketing malpractices;
  • when offering multiple goods or services to customers in a bundle, online businesses should notify customers of this with prominent notices. Also, default consent settings shall not be used when offering multiple options of goods or services. It is important to note that customers’ transaction history is not justification for such practice.

The Measures apply to online transactions conducted via social media platforms and live streaming campaigns. Online businesses are recommended to review their existing practice in light of the rapid regulatory developments. Please feel free to contact us if you have any questions.